b'                   AUDIT REPORT\n\n        Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n                     OIG-12-A-12       April 16, 2012\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x9fs Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                                  April 16, 2012\n\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S PROTECTION OF SAFEGUARDS\n                            INFORMATION (OIG-12-A-12)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of NRC\xe2\x80\x99s\nProtection of Safeguards Information.\n\nThe report presents the results of the subject audit. Agency comments provided at the\nMarch 28, 2012, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Audit\nTeam, at 415-5911.\n\nAttachment: As stated\n\x0c                                            Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nEXECUTIVE SUMMARY\n\n   BACKGROUND\n\n        Safeguards Information, or SGI, is a category of sensitive unclassified\n        information that is unique to the Nuclear Regulatory Commission (NRC).\n        SGI is detailed security-related information that identifies security\n        measures for the physical protection of special nuclear material, or\n        security measures for the physical protection and location of certain plant\n        equipment vital to the safety of production or utilization facilities.\n        Unauthorized disclosure of SGI could have a significant adverse effect on\n        public health and safety and/or the common defense and security by\n        significantly increasing the likelihood of theft, diversion, or sabotage of\n        materials or facilities subject to NRC jurisdiction. Such an unauthorized\n        release could result in damage to the Nation\xe2\x80\x9fs critical infrastructure, which\n        includes nuclear power plants and certain other facilities and radioactive\n        materials licensed and regulated by the NRC.\n\n        Access to SGI is restricted to personnel who have an established \xe2\x80\x9e\xe2\x80\x9eneed-\n        to-know\xe2\x80\x9f\xe2\x80\x9f the information and are also deemed \xe2\x80\x9ctrustworthy and reliable\xe2\x80\x9d\n        by undergoing a background check and a Federal Bureau of Investigation\n        criminal history records check. A security clearance is not needed to\n        access SGI. While most people who consistently deal with SGI are NRC\n        employees or licensees, access to SGI is not contingent upon one\xe2\x80\x9fs\n        relationship with NRC. For example, contractors, consultants, private\n        citizens who participate in adjudicatory hearings, and qualified private\n        citizens who choose to comment on certain regulatory guides can gain\n        access to SGI if they meet the regulatory requirements stated above.\n\n        Hardcopy and electronic documents containing SGI must be protected in\n        accordance with NRC regulations and guidance. When in use, documents\n        containing SGI must always be under the direct control of the authorized\n        user of the information. These documents must be protected to avoid\n        disclosing the information to unauthorized persons. Within NRC, this\n        means that hardcopy SGI documents are stored in locked security\n        containers, while electronic copies are stored in the Safeguards Local\n        Area Network and Electronic Safe (SLES). SLES is NRC\xe2\x80\x9fs electronic\n        document management system for the storage of electronic SGI\n        documents.\n\n\n\n\n                                       i\n\x0c                                         Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n      NRC has given a select group of individuals within the agency the\n      authority to review security documents to determine whether the items\n      contain SGI and therefore warrant protection. These individuals are\n      referred to as SGI designators, and the majority of offices have at least\n      one designator. The SGI designator role is a collateral duty and\n      employees must fulfill training requirements to become certified to perform\n      the role. Only individuals who have been certified as SGI designators can\n      make SGI determinations.\n\n\nOBJECTIVE\n\n\n      The audit objective was to determine if NRC adequately ensures the\n      protection of SGI.\n\n      This audit was conducted to follow up on an audit issued in January 2004,\n      OIG-04-A-04, Audit of NRC\xe2\x80\x99s Protection of Safeguards Information. The\n      2004 audit found that the benefit of having an SGI program was unclear\n      and that NRC lacked a central authority for controlling, coordinating, and\n      communicating SGI program requirements. The audit also found\n      examples in which NRC and licensee representatives inappropriately\n      released SGI to unauthorized individuals.\n\nRESULTS IN BRIEF\n\n      Since the 2004 audit, NRC has made improvements to the SGI program,\n      including the development of a Management Directive specifically for SGI\n      and identification of a lead program office for developing SGI policies and\n      procedures. However, the Office of the Inspector General identified the\n      following areas for further improvement of the SGI program: NRC (1) lacks\n      a structured process for tracking SGI releases, (2) lacks guidance on\n      granting \xe2\x80\x9coutsiders\xe2\x80\x9d access to SGI, and (3) has inadequate business\n      processes over the SGI designator role.\n\nRECOMMENDATIONS\n\n      This report makes recommendations to improve the agency\xe2\x80\x9fs SGI\n      program. A list of these recommendations appears on page 20 of this\n      report.\n\n\n\n\n                                    ii\n\x0c                                        Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nAGENCY COMMENTS\n\n     At an exit conference on March 28, 2012, agency management stated\n     their general agreement with the findings and recommendations in this\n     report. Agency management also provided supplemental information that\n     has been incorporated into this report, as appropriate. As a result, the\n     agency opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                  iii\n\x0c                                      Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ADM     Office of Administration\n\n       CFR     Code of Federal Regulations\n\n       CSO     Computer Security Office\n\n       DFS     Division of Facilities and Security\n\n       DSO     Division of Security Operations\n\n       IT      Information Technology\n\n       MD      Management Directive\n\n       NRC     U.S. Nuclear Regulatory Commission\n\n       NSIR    Office of Nuclear Security and Incident Response\n\n       OEDO    Office of the Executive Director for Operations\n\n       OIG     Office of the Inspector General\n\n       OIS     Office of Information Services\n\n       SGI     Safeguards Information\n\n       SLES    Safeguards Local Area Network and Electronic Safe\n\n\n\n\n                                iv\n\x0c                                                              Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY ..................................................................................... i\n\n        ABBREVIATIONS AND ACRONYMS ................................................................. iv\n\n        I.       BACKGROUND........................................................................................ 1\n\n        II.      OBJECTIVE ............................................................................................. 5\n\n        III.     FINDINGS ................................................................................................ 6\n\n                 A. Lack of a Structured Process for Tracking SGI Releases ................... 7\n\n                 B. No Guidance for Granting \xe2\x80\x9cOutsiders\xe2\x80\x9d Access to SGI. ...................... 13\n\n                 C. Inadequate Business Processes Over the SGI Designator Role. ...... 16\n\n        IV.      CONSOLIDATED LIST OF RECOMMENDATIONS ............................... 20\n\n        V.       AGENCY COMMENTS .......................................................................... 21\n\n\n\n        APPENDIX\n\n                 OBJECTIVE, SCOPE, AND METHODOLOGY ....................................... 22\n\n\n\n\n                                                     v\n\x0c                                                          Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n\nI.      BACKGROUND\n\n                Safeguards Information, or SGI, is a category of sensitive unclassified\n                information1 that is unique to the Nuclear Regulatory Commission (NRC).\n                SGI is detailed security-related information that identifies security\n                measures for the physical protection of special nuclear material,2 or\n                security measures for the physical protection and location of certain plant\n                equipment vital to the safety of production or utilization facilities.\n                Unauthorized disclosure of SGI could have a significant adverse effect on\n                public health and safety and/or the common defense and security by\n                significantly increasing the likelihood of theft, diversion, or sabotage of\n                materials or facilities subject to NRC jurisdiction. Such an unauthorized\n                release could result in damage to the Nation\xe2\x80\x9fs critical infrastructure, which\n                includes nuclear power plants and certain other facilities and radioactive\n                materials licensed and regulated by the NRC.\n\n                Access to SGI is restricted to personnel who have an established \xe2\x80\x9e\xe2\x80\x9eneed-\n                to-know\xe2\x80\x9f\xe2\x80\x9f3 the information and are also deemed \xe2\x80\x9ctrustworthy and reliable\xe2\x80\x9d4\n                by undergoing a background check and a Federal Bureau of Investigation\n                criminal history records check.5 Additionally, a security clearance is not\n                needed to access SGI. While most people who consistently deal with SGI\n                are NRC employees or licensees, access to SGI is not contingent upon\n                one\xe2\x80\x9fs relationship with NRC. For example, contractors, consultants,\n                private citizens that participate in adjudicatory hearings, and qualified\n                private citizens that choose to comment on certain regulatory guides can\n                gain access to SGI if they meet the regulatory requirements stated above.\n\n1\n  Other categories of sensitive unclassified information include proprietary information, allegation\ninformation, and personally identifiable information.\n2\n  "Special nuclear material" is defined by the Atomic Energy Act of 1954, as amended, as plutonium,\nuranium-233, or uranium enriched in the isotopes uranium-233 or uranium-235.\n3\n  Per Title 10, Code of Federal Regulations, Section 73.2 (10 CFR 73.2), \xe2\x80\x9cneed-to-know\xe2\x80\x9d means a\ndetermination by a person having responsibility for protecting SGI that a proposed recipient\xe2\x80\x9fs access to\nSGI is necessary in the performance of official, contractual, licensee, applicant, or certificate holder\nemployment.\n4\n  Per 10 CFR 73.2, trustworthiness and reliability are characteristics of an individual considered\ndependable in judgment, character, and performance, such that disclosure of SGI to that individual does\nnot constitute an unreasonable risk to the public health and safety or common defense and security. A\ndetermination of trustworthiness and reliability for this purpose is based upon a background check.\n5\n  Per 10 CFR 73.59, certain individuals do not need background checks prior to receiving access to SGI,\nsuch as (a) an employee of the Commission or the Executive Branch of the U.S. Government who has\nundergone fingerprinting for a prior U.S. Government criminal history records check; (b) a member of\nCongress; (c) the Governor of a State or his or her designated State employee representative; and (d)\nFederal, State, or local law enforcement personnel, among others.\n\n\n                                                    1\n\x0c                                                        Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n\n               Hardcopy and electronic documents containing SGI must be protected in\n               accordance with NRC regulations and guidance.6 When in use,\n               documents containing SGI must always be under the direct control of the\n               authorized user of the information. These documents must be protected\n               to avoid disclosing the information to unauthorized persons. Within NRC,\n               this means that hardcopy SGI documents are stored in locked security\n               containers, while electronic copies are stored in the Safeguards Local\n               Area Network and Electronic Safe (SLES). SLES is NRC\xe2\x80\x9fs electronic\n               document management system for the storage of electronic SGI\n               documents.\n\n               NRC has given a select group of individuals within the agency the\n               authority to review security documents to determine whether the items\n               contain SGI and therefore warrant protection. These individuals are\n               referred to as SGI designators, and the majority of offices have at least\n               one designator. The SGI designator role is a collateral duty and\n               employees must fulfill training requirements to become certified to perform\n               the role.\n\n               Only individuals who have been certified as SGI designators can make\n               SGI determinations. Management Directive (MD) 12.7 outlines the\n               requirements that an individual must follow to be granted this certification.\n               Specifically, there is a series of training modules that the individual must\n               complete that covers specific SGI designator training. Once this training is\n               completed, the employee sends his/her training certificates to the Office of\n               Nuclear Security and Incident Response (NSIR) for review. An NSIR\n               official places the individual on the certified designator list.\n\n               In addition to paper documents, individuals work with electronic SGI within\n               SLES. To gain SLES access, a user must complete an application form\n               and submit it to the Office of Information Services (OIS). There are two\n               levels of access that a user can obtain: viewer and designator. The\n               viewer role allows users only to view documents that they have been\n               granted permission to see. The designator role has the same features as\n               the viewer role, but also allows the user to generate SGI documents within\n               the system. To be granted the SLES designator access level, the user\n\n6\n All media containing SGI, such as laptop computers or removable magnetic media (e.g., hard drives or\ncompact disks), fall under the same regulations and guidance as hardcopy and electronic documents and\nmust be protected accordingly.\n\n\n                                                  2\n\x0c                                                          Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n                must be a certified SGI designator and must submit the required training\n                documentation to OIS.\n\n                Regulations and Orders\n\n                The Atomic Energy Act of 1954, as amended, provides NRC the authority\n                to prescribe regulations to protect SGI. This Federal law also states the\n                requirements for the criminal history records check in order to access SGI.\n                The Code of Federal Regulations (Title 10, Part 73) establishes the\n                general licensee performance requirements to protect SGI.\n\n                NRC has seven management directives that provide guidance to staff\n                concerning the protection of information, including SGI:\n\n                1. MD 12.7 \xe2\x80\x93 NRC Safeguards Information Security Program, provides\n                   information security policy associated with the preparation, handling,\n                   distribution, accountability, and protection of SGI.\n                2. MD 12.6 \xe2\x80\x93 NRC Sensitive Unclassified Information Security Program,\n                   provides measures to ensure that sensitive unclassified information is\n                   handled appropriately and is protected from unauthorized disclosure.\n                3. MD 12.5 \xe2\x80\x93 NRC Automated Information Security Program, provides\n                   security measures to protect NRC information and information\n                   systems, including any hardware or software that is used to process,\n                   store, or transmit SGI.\n                4. MD 12.2 \xe2\x80\x93 NRC Classified Information Security Program, provides the\n                   proper procedures for all NRC personnel responsible for handling\n                   classified information.7\n                5. MD 12.1 \xe2\x80\x93 NRC Facility Security Program, provides measures to\n                   ensure that SGI and classified information is protected from\n                   unauthorized disclosure and that assets in NRC facilities are protected\n                   from harm, loss, or misuse.\n                6. MD 7.4 \xe2\x80\x93 Reporting Suspected Wrongdoing and Processing OIG\n                   Referrals, provides direction and guidance for reporting suspected\n                   wrongdoing to the Office of the Inspector General (OIG).\n                7. MD 3.4 \xe2\x80\x93 Release of Information to the Public, provides NRC staff\n                   general policy guidance on the release of agency information to the\n                   public.\n\n\n7\n While MD 12.2 focuses on classified information, there is a correlation with SGI as the SGI program is\nmodeled after the classified program according to NRC management.\n\n\n                                                    3\n\x0c                                   Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nOffices Involved\n\nThe primary NRC offices involved with the SGI program are NSIR, OIS,\nthe Office of Administration (ADM), and the Computer Security Office\n(CSO).\n\nNSIR\xe2\x80\x9fs Division of Security Operations (DSO) is the SGI program owner\nand is responsible for developing and overseeing the implementation of\nNRC requirements and activities related to safeguards and security for\nNRC licensed facilities and activities. DSO is responsible for ensuring the\nprotection of SGI and classified information at NRC facilities and by NRC\ncontractors and licensees by planning, coordinating, and managing the\ninformation security program. DSO runs the SGI training program for\nNRC employees and administers NRC\'s SGI designator program.\n\nOIS is responsible for providing expertise on NRC\xe2\x80\x9fs information\ntechnology (IT) infrastructure, including security monitoring, assessment,\nincident response, and integration of automated solutions to proactively\nmitigate IT security vulnerabilities. OIS plans, develops, and delivers\nprograms and services related to the storage, retrieval, protection, and\npreservation of NRC information in paper and electronic media.\nRegarding SGI, OIS owns and supports the infrastructure that SLES runs\non and is responsible for granting appropriate user access.\n\nWithin ADM, the Division of Facilities and Security (DFS) establishes\npolicy and plans and directs the agency\'s building management and\nfacilities and personnel security programs. DFS administers the NRC\nsecurity program for physical security and is responsible for physically\nprotecting NRC facilities, ensuring the safeguarding of classified and\nsensitive unclassified information at NRC and NRC contractor facilities,\nand coordinating with other law enforcement agencies on related matters.\n\nCSO, specifically the Cyber Situational Awareness, Analysis, and\nResponse Team, is in charge of tracking, monitoring, and reporting NRC\ncomputer security incidents. CSO monitors NRC\'s IT security\nvulnerabilities, maintaining an awareness of the threat to NRC\'s IT\ninfrastructure. This office conducts trend analysis of events and\nrecommends actions to minimize or prevent releases of information. CSO\nhandles electronic releases and NRC internal SGI policy that involves IT\nsystems.\n\n\n\n                              4\n\x0c                                                          Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n                Unauthorized Releases of SGI\n\n                An SGI \xe2\x80\x9crelease\xe2\x80\x9d is any situation where SGI information has been\n                inadequately protected.8 In the worst case scenario, a release results in\n                an unauthorized individual seeing the sensitive information. However,\n                there are many instances when that release does not result in any\n                unauthorized access. For example, a document owner may leave SGI on\n                his/her desk before realizing it later, or an NRC employee may not take\n                the proper security steps when emailing an SGI document to another\n                authorized user. Based on the scenario and type of release, the MDs\n                require that all NRC employees report SGI releases to specific NRC\n                offices. While the specific reporting offices are mentioned in the MDs,\n                there are no clearly quantifiable timeliness requirements for reporting SGI\n                releases.\n\n\n\nII.     OBJECTIVE\n\n                The audit objective was to determine if NRC adequately ensures the\n                protection of SGI. The report appendix provides information on the audit\n                scope and methodology.\n\n                This audit was conducted to follow up on an audit issued in January 2004,\n                OIG-04-A-04, Audit of NRC\xe2\x80\x99s Protection of Safeguards Information. The\n                2004 audit found that the benefit of having an SGI program was unclear\n                and that NRC lacked a central authority for controlling, coordinating, and\n                communicating SGI program requirements. The audit also found\n                examples in which NRC and licensee representatives inappropriately\n                released SGI to unauthorized individuals.\n\n\n\n\n8\n  Any \xe2\x80\x9crelease\xe2\x80\x9d that is reported to DFS is also called an infraction as part of NRC\xe2\x80\x9fs Security Infraction\nProgram. A security infraction is a failure to comply with NRC security requirements or procedures. This\ninfraction category includes many types of issues, including actual or suspected compromises of SGI,\nfailure to properly escort uncleared visitors, or loss of a badge under circumstances of negligence.\n\n\n                                                    5\n\x0c                                                Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nIII.   FINDINGS\n\nSince the 2004 audit, NRC has made improvements to the SGI program, including the\ndevelopment of a management directive specifically for SGI and identification of a lead\nprogram office for developing SGI policies and procedures. However, OIG identified the\nfollowing areas for further improvement of the SGI program: NRC (1) lacks a structured\nprocess for tracking SGI releases, (2) lacks guidance on granting \xe2\x80\x9coutsiders\xe2\x80\x9d access to\nSGI, and (3) has inadequate business processes over the SGI designator role.\n\n\n\n\n                                           6\n\x0c                                        Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nA.   Lack of a Structured Process for Tracking SGI Releases\n\n     While SGI releases are reported to NRC offices identified to record and\n     respond to such incidents, the total universe of SGI releases is not known\n     to NRC management. The universe of SGI releases is unknown because\n     NRC does not have a structured, streamlined process for reporting and\n     tracking releases. Without a full understanding of the universe of\n     releases, NRC cannot trend releases to see if there is a systemic problem\n     that could be resolved from additional guidance, or if clarifications to\n     existing guidance need to be made.\n\n     Reporting Requirements\n\n     NRC managers involved with the SGI program should have access to\n     complete information about SGI releases in a timely manner to respond to\n     problems and improve the overall SGI program. NRC MDs provide\n     guidance to employees on how to report problems concerning SGI. MD\n     12.7 is the overarching guidance document for SGI; however, several\n     other MDs address the handling of various SGI releases. For example,\n     MD 12.5 discusses computer-related issues with SGI, while MD 3.4\n     discusses all releases of information to the public.\n\n     Universe of SGI Releases Is Unknown\n\n     While SGI releases are reported to NRC offices assigned to record and\n     respond to such incidents, the total universe of SGI releases is not known\n     to NRC management. Based on the guidance provided in the MDs,\n     employees report their SGI releases to one or more of the following five\n     NRC offices: CSO, NSIR/DSO, ADM/DFS, Office of the Executive Director\n     for Operations (OEDO), and OIG. Four of these offices maintain their own\n     file system to keep track of the releases reported. For example,\n     ADM/DFS maintains a spreadsheet that has the date the release\n     occurred, the date it was reported, the offices and individuals involved,\n     and a description of the release, while OEDO maintains a file folder\n     containing the notifications the office has received. CSO and OIG also\n     maintain some records; however, NSIR/DSO does not maintain any files\n     for tracking SGI releases.\n\n\n\n\n                                   7\n\x0c                                                           Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n                OIG performed an analysis to identify the total universe of SGI releases\n                that were reported to CSO, ADM/DFS, OEDO, and OIG between March\n                11, 2005, and October 4, 2011.9 During this timeframe, a total of 95\n                unique releases were reported to and recorded by the respective offices.\n                Of these 95 releases reported, 91 were reported to only one office (see\n                Table 1). Additionally, OIG identified four releases that were\n                simultaneously reported to two offices (see Table 2). There were no\n                releases reported to more than two offices. Tables 1 and 2 below show a\n                breakdown of the number of reported cases and to which office they were\n                reported.\n\n                                 Table 1. Single Reported Releases\n            Source            Total 2005 2006 2007 2008 2009 2010 2011\n            CSO                  31          6   7     5   5     2   6\n            ADM/DFS              51                   15  15    11  10\n            OEDO                   5    3                        1   1\n            OIG                    4         1   1     2\n\n\n            Issues                91         3         7       8       22       20        14        17\n            Reported to\n            One Office\n\n\n                               Table 2. Dual Reported Releases\n            Source            01/03/2008 10/19/2010 02/02/2011 09/27/2011\n            CSO                         1                               1\n            ADM/DFS                     1          1           1\n            OEDO                                   1                    1\n            OIG                                                1\n            Issues                      1          1           1        1\n            Reported to\n            Two Offices\n\n\n                OIG also analyzed the length of time taken for releases to be reported. Of\n                the 95 infractions reported between March 11, 2005, and October 4, 2011,\n                56 (59 percent) were reported on the same day that the release occurred,\n                15 (16 percent) were reported between 1 and 5 days, 14 (15 percent)\n\n9\n The purpose of OIG\xe2\x80\x9fs analysis was to identify the universe of reported releases and not to assess\nwhether releases were reported to the proper entity.\n\n\n                                                   8\n\x0c                                                            Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n                were reported between 6 and 30 days, 2 (2 percent) were reported\n                between 31 and 60 days, 4 (4 percent) were reported between 61 and 100\n                days, and 4 (4 percent) took longer than 100 days to report. The following\n                chart provides a breakdown of the timeliness of the releases reported:\n\n                             Table 3. Release Report Days\n                  Days Between      # of       Percentage of Releases\n                  SGI Release and Infractions Reported In Each Time\n                  Reporting         Reported   Period\n                  0                 56         59%\n                  1\xe2\x80\x935               15         16%\n                  6 \xe2\x80\x93 30            14         15%\n                  31 \xe2\x80\x93 60           2          2%\n                  61 \xe2\x80\x93 100          4          4%\n                  >100              4          4%\n                  Totals            95         100%\n                   * Percentage rounded to whole percentage point\n\n                Lack of a Structured Process for Reporting\n\n                NRC management does not know the universe of SGI releases because\n                the agency lacks a structured, streamlined process for reporting and\n                tracking releases. NRC has several MDs that explain and outline how\n                various releases should be reported, but these directives contain different\n                reporting requirements and there is no requirement for any single entity to\n                keep track of all the reporting that occurs. MD 3.4, Release of Information\n                to the Public, states that the OEDO and OIG should be notified of any\n                release, in writing. Additionally, it states that NSIR must be contacted, but\n                it does not state if this notification needs to be in writing. It further states\n                the CSO should be contacted if the release involved IT systems. MD 7.4,\n                Reporting Suspected Wrongdoing and Processing OIG Referrals, states\n                that OIG should be notified if there is a willful violation with SGI. MD 12.1,\n                NRC Facility Security Program, states that DFS should be notified, in\n                writing, of any infractions and violations. MD 12.5, NRC Automated\n                Information Security Program, states that CSO should be notified with any\n                release related to computers.10 MD 12.7, NRC Safeguards Information\n\n10\n   MD 12.5 identifies NRC\xe2\x80\x9fs Office of the Chief Information Officer as having the responsibility to respond\nto incidents involving NRC systems that are processing sensitive information, SGI, and classified\ninformation. However, in October 2007, CSO was created and the Cyber Situational Awareness,\nAnalysis, and Response Team was tasked with the responsibilities outlined in MD 12.5 for responding to\ncomputer security incidents, including SGI releases.\n\n\n                                                     9\n\x0c                                                Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nSecurity Program, states that DFS, NSIR/DSO, OEDO, and OIG should\nbe notified of any release involving SGI. While MD 12.2, NRC Classified\nInformation Security Program, provides guidance for the protection of\nclassified information, it does not provide any information on how to report\nreleases related to SGI.\n\nTo add to the confusion, MD 12.7 incorrectly restates the reporting\nrequirements listed in MD 3.4 when dealing with SGI releases to the\npublic. MD 12.7 states that when reporting any inadvertent SGI release,\nDFS, DSO, OEDO, and OIG should be contacted. However, in MD 3.4,\nDFS is not listed as an office that should be contacted. The following\nchart is a breakdown of the MDs and the offices that are required to be\nnotified for the various types of SGI releases:\n\n            Table 4. MD Reporting Requirements\nMD                           Office\n          ADM/DFS NSIR/DSO OEDO OIG                                   CSO\n3.4                 x*         x        x                             x\n7.4                                     x\n12.1      x\n12.5                                                                  x\n12.7      x               x                 x            x\n* Note: MD 3.4 states that NSIR must be notified but does not specify which office within NSIR\n(e.g., DSO) should be contacted.\n\n\nWhile a DSO official stated that they have tried to model the SGI program\nafter the classified information program, this is not the case when it comes\nto reporting SGI releases. According to MD 12.2, NRC Classified\nInformation Security Program, there is a single point of contact\nresponsible for receiving all releases related to classified information.\nHowever, within the SGI program there is no single point of contact\nresponsible for intake of all of SGI releases. For example, in some cases,\nNRC senior managers will report the SGI releases to other senior\nmanagers in the responsible program offices, but this information is not\nnecessarily reported in a timely manner to the staff responsible for\ntracking releases. Nevertheless, OIG observed that CSO employs a \xe2\x80\x9cbest\npractice\xe2\x80\x9d for managing the intake of SGI releases. CSO maintains a\ntracking system with unique identifier numbers for each release and\nassigns two points of contact who rotate coverage to ensure someone is\nalways available to receive the reported releases.\n\n\n\n                                       10\n\x0c                                   Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nAnother problem was NRC\xe2\x80\x9fs mandatory annual online information security\ntraining. While this training program conveys to employees what to do if\nthey come across unprotected classified information, it does not provide\nany information on who to contact or what to do if there is an SGI release.\n\nCompounding the non-streamlined approach to reporting and tracking SGI\nissues is a lack of communication among the offices involved with SGI.\nFor example, while NSIR is responsible for developing policies related to\nSGI and DFS is responsible for enforcing these policies, the two offices do\nnot share details on the releases identified. Furthermore, none of the\noffices that track SGI issues perform trending on the information or\nprovide statistics to other involved offices unless another office requests\nthis information. OIG also identified several instances where the offices\ninvolved with SGI did not know who to contact in the other offices to share\nor obtain information.\n\nNo Trending To Facilitate Improvements in SGI Program\n\nWithout a full understanding of the universe of releases, NRC cannot trend\nreleases to see if there is a systemic problem that could be resolved from\nadditional guidance, or if clarifications to existing guidance are needed.\nFurthermore, if trending on SGI releases were performed, NSIR could\nmake changes to the annual training to ensure that sufficient guidance is\nprovided on SGI problem areas.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1. Develop a structured reporting process that includes:\n     One point of contact to receive reports of all SGI releases.\n     A numbering system to track the number of releases reported in a\n     consistent manner.\n     A system to report information on releases from the central point of\n     contact to the responsible program offices.\n     A system to trend releases and to make any needed programmatic\n     changes.\n\n\n\n\n                             11\n\x0c                                    Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n2. Update the affected MDs (3.4, 7.4, 12.1, 12.5, and 12.7) to provide\n   consistent guidance on the new reporting structure outlined in\n   recommendation 1.\n\n3. Develop and implement interim guidance to communicate the\n   structured reporting process to NRC staff.\n\n4. Update the annual online security information training to reflect the\n   reporting requirements for SGI releases.\n\n\n\n\n                              12\n\x0c                                         Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nB.   No Guidance for Granting \xe2\x80\x9cOutsiders\xe2\x80\x9d Access to SGI\n\n     While MD 12.7 provides details on many aspects of protecting SGI, it\n     lacks guidance on how to grant SGI access to a non-NRC, non-licensee\n     entity. MD 12.7 lacks information about approving SGI access to\n     outsiders because NSIR, which is responsible for the content of MD 12.7,\n     believes that the existing guidance is sufficient. Without comprehensive\n     guidance, there is no assurance that consistent measures are being taken\n     to protect SGI.\n\n     SGI Policy and Guidance\n\n     It is NRC\xe2\x80\x9fs policy to ensure that SGI is properly handled and protected\n     from unauthorized disclosure under pertinent laws, regulations,\n     management directives, and applicable directives of other Federal\n     agencies and organizations. Specifically, MD 12.7, NRC Safeguards\n     Information Security Program, provides NRC staff the security\n     requirements for the preparation, handling, distribution, accountability, and\n     protection of SGI. Regarding SGI access, MD 12.7 explains the eligibility\n     requirements to receive SGI, as well as those who are exempt from the\n     specific requirements. According to MD 12.7, NRC employees,\n     consultants, and contractors are all responsible for ensuring that the\n     procedures specified in the document are followed to protect SGI.\n\n     In accordance with the regulations, MD 12.7 states that to access SGI, an\n     individual must have a need-to-know the information and is subject to a\n     fingerprinting and FBI criminal history records check. The responsibility of\n     assessing the need-to-know of an individual falls on the owner of the\n     requested SGI document (e.g., the NRC employee who created the\n     document or the individual in possession of the document) per the\n     regulation, 10 CFR Part 73.\n\n     Office of Management and Budget Bulletin, M-07-07, \xe2\x80\x9cFinal Bulletin for\n     Agency Good Guidance Practices,\xe2\x80\x9d issued in January 2007, provides\n     guidance on the development of policies and procedures within\n     Government agencies. The bulletin explains that well-designed guidance\n     documents serve many important or even critical functions in regulatory\n     programs. Agencies can provide helpful guidance to interpret existing law\n     through an interpretive rule or to clarify how they tentatively will treat or\n     enforce a governing legal norm through a policy statement.\n\n\n                                   13\n\x0c                                                                Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\n                   Lack of Guidance on Granting Access to \xe2\x80\x9cOthers\xe2\x80\x9d\n\n                   While MD 12.7 provides details on various aspects of protecting SGI, it\n                   does not communicate a methodology for document owners to use when\n                   making determinations to grant non-NRC, non-licensees access to SGI.\n                   These individuals, or \xe2\x80\x9coutsiders,\xe2\x80\x9d11 may be interveners, vendors, external\n                   stakeholders, or members of the general public.\n\n                   As an example of the need for better guidance in this area, in May 2011,\n                   an outsider sought to provide comments on a proposed NRC technical\n                   document and asked for permission to view some SGI material that\n                   provided support to NRC\xe2\x80\x9fs technical basis. The document owner, an NRC\n                   employee with an extensive security background, was unaware of the\n                   proper steps or procedures to grant this access. The NRC employee\n                   could not locate any NRC guidance that detailed the steps of providing\n                   SGI access to outsiders. Consequently, the employee contacted Office of\n                   the General Counsel and NSIR management to develop a plan that would\n                   potentially allow the outsider to access SGI.\n\n                   The NRC employee took additional steps to add a layer of security by\n                   asking the outsider to sign a confidentiality agreement, and required the\n                   outsider to view the SGI at NRC headquarters only. The steps taken were\n                   not listed in any NRC guidance documentation. Accordingly, the\n                   document owner expressed frustration because the lack of guidance\n                   made the employee feel \xe2\x80\x9con her own\xe2\x80\x9d in dealing with this type of situation.\n\n                   Developing Guidance Not Identified as a Need\n\n                   MD 12.7 lacks information about approving SGI access to outsiders\n                   because NSIR, the owner of MD 12.7, believes that the existing guidance\n                   is sufficient. NSIR staff stated that everyone who accesses SGI is subject\n                   to the regulation; however, the regulation, like MD 12.7, does not describe\n                   a process for granting SGI to outsiders. Rather, regarding SGI access,\n                   only the owner responsibility requirement of determining the need-to-know\n                   was addressed. Furthermore, when NSIR staff were asked to describe\n                   the steps of granting SGI access to outsiders, they could not do so except\n                   to say that the regulation must be followed. NSIR confirmed that there\n                   were no additional requirements or a separate policy for granting outsiders\n                   SGI access, but claimed it was not a necessity as the regulations were\n\n11\n     The term \xe2\x80\x9coutsiders\xe2\x80\x9d is not an industry term and is being used strictly for the purpose of this audit.\n\n\n                                                        14\n\x0c                                    Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nclear enough, and NRC staff could obtain assistance directly from NSIR if\nneeded.\n\nOne NSIR staff member claimed a confidentiality agreement must be\nsigned when granting outsiders SGI access. However, there are no\nstatutory or regulatory requirements that state the need to use a\nconfidentiality agreement.\n\nNo Assurance that Consistent Measures Are Applied To Protect SGI\n\nWithout comprehensive guidance, there is no assurance that measures\nare consistently being applied to protect SGI. There are no clear\ninstructions on how to grant SGI access to outsiders. If the discretion is\nleft solely to each individual document owner, there could be a disparity on\nthe controls used to protect SGI. Document owners may have varying\nlevels of security knowledge and could take different approaches in\ndetermining what is sufficient to distribute SGI. This potentially could lead\nto a security compromise as SGI could be viewed by an ineligible\nindividual or simply handled improperly by an approved outsider.\n\nWhile the particular example described above did not present any\nadditional known problems, this can be largely attributed to the document\nowner\xe2\x80\x9fs extensive security experience and self-admitted propensity for\nbeing extremely conscientious. However, this type of situation could very\nwell pose problems for other NRC staff in the future.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n5. Update MD 12.7 to include detailed guidance on granting \xe2\x80\x9coutsiders\xe2\x80\x9d\n   access to SGI.\n\n6. Develop and issue interim guidance covering how to grant \xe2\x80\x9coutsiders\xe2\x80\x9d\n   access to SGI.\n\n\n\n\n                              15\n\x0c                                         Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nC.   Inadequate Business Processes Over the SGI Designator Role\n\n     NRC does not have accurate and complete records on the universe of SGI\n     designators because NRC lacks adequate business processes over the\n     SLES SGI designator role and certified SGI designator list. A lack of\n     accurate SGI designator lists could prevent NRC from communicating\n     policy or procedural changes to those who have this responsibility and\n     ensuring there is adequate SGI designator coverage throughout the\n     program offices.\n\n     Structured and Efficient Programs\n\n     According to Federal Government guidance, including the Government\n     Accountability Office\xe2\x80\x9fs \xe2\x80\x9cStandards for Internal Control in the Federal\n     Government,\xe2\x80\x9d a program\xe2\x80\x9fs efficiency is dependent on (1) clearly\n     delineated roles and responsibilities of offices and individuals involved to\n     avoid confusion and ensure that people understand their roles and\n     responsibilities, (2) guidance documents to establish management\n     expectations and ensure that all staff involved understand their roles, (3)\n     training to ensure that employees have the skills needed to perform their\n     work, and (4) data that is organized to facilitate use by staff and managers\n     for decisionmaking.\n\n     Designator Lists Are Inadequate\n\n     NRC does not have accurate and complete records on the universe of SGI\n     designators. OIG interviewed 46 NRC employees who were listed on the\n     certified SGI designator list. Of the 46 interviewed, 16 (35 percent) did not\n     know they were on the SGI designator list. Furthermore, 21 individuals\n     (46 percent) have never designated SGI. Several employees had moved\n     offices, changed job functions, or no longer needed to maintain their\n     status as a SGI designator.\n\n     One designator said it was embarrassing that she had no idea she had\n     been on the SGI designator list for the past 3 years. She said she was\n     only with NRC for 6 weeks before apparently taking the online SGI\n     designator training course, and was incredulous that she could be\n     considered an SGI designator. Another individual said she had no idea\n     how she became an SGI designator. This individual took several NRC\n     online training classes when she was hired at NRC and assumes that the\n\n\n                                   16\n\x0c                                   Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nSGI designator training course was one of these classes. However, she\nstated that while she is an NRC employee, she currently does not work in\nany NRC offices as she is a full-time student. Another employee said\nthere should be some type of yearly designator list scrub, or ongoing\ncompetency test, as there was no way he could designate SGI even\nthough he was on the SGI designator list.\n\nAfter OIG began contacting certified designators, some of these\nindividuals began contacting DSO to be removed from the SGI designator\nlist. At this point, NSIR became aware of a misalignment between the\ncertified designator list maintained by NSIR and the SLES designator role\nlist maintained by OIS. NSIR performed a review of all individuals with\nSLES designator access and discovered there were 137 SLES\ndesignators who were not on the certified SGI designator list. At the\nrequest of NSIR, OIS then reviewed each of these 137 individuals to\ndetermine if they had the proper training documentation to merit their\nSLES designator status. Upon completion of the review, OIS was able to\nprovide the proper training documentation for only 17 of the 137\nindividuals who had the SLES designator status. As a result, OIS\nchanged the SLES status from \xe2\x80\x9cdesignator\xe2\x80\x9d to \xe2\x80\x9creader\xe2\x80\x9d for the 120 users\nwho lacked sufficient paperwork, and informed the individuals that to\nregain SLES designator status, they would have to provide sufficient\ndocumentation supporting that the prerequisite SGI training requirements\nhad been met.\n\nLack of a Business Process Over the SGI Designator Role\n\nSGI designator lists are inaccurate because NRC lacks adequate\nbusiness processes over the SGI designator role. Specifically, there is no\ncoordination or communication between OIS and NSIR, and there are no\nformal procedures in place to ensure only proper individuals are\nconsidered SGI designators.\n\nNSIR and OIS lack coordination and communication regarding the SGI\ndesignator role. In granting individuals SLES designator access, OIS has\nnot communicated with NSIR to verify that these individuals are on the\ncertified designator list. There is also no cross-office communication\nbetween NSIR and OIS to ensure that the two designator lists match.\nFurthermore, OIG found that NSIR lacked a specific point of contact within\nOIS with regard to SLES.\n\n\n\n                             17\n\x0c                                    Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nThere is also a lack of formal procedures related to the SGI designator\nrole. While there is a clear procedure in place to grant the SGI designator\nrole, there is no process to ensure that the list is properly maintained. The\nNSIR group responsible for maintaining the certified designator list takes\nan informal approach to collecting information about individuals who no\nlonger need to be on the list. For example, NSIR staff relies upon their\nown familiarity with SGI designators, reading the retirement\nannouncements posted on NRC\xe2\x80\x9fs Web site, and periodically checking the\nstaff directory to determine if the listed designators are still NRC\nemployees.\n\nFurthermore, there is no established procedure to contact employees to\ndetermine if they need to maintain their role as a certified SGI designator.\nOIS does not have any formal procedures to remove SGI designator\naccess from individuals or determine if the users still need to maintain this\nlevel of access to the SLES system. Additionally, once an SGI designator\nis certified, there is no required refresher training to ensure that\ndesignators maintain familiarity with their roles and responsibilities.\n\nThere are no formal business processes regarding the SGI designator role\nbecause management was not aware of this issue. However, since OIG\nconveyed these issues to NRC during the course of this audit, NSIR and\nOIS have begun to work together to resolve the issues. In December\n2011, OIS and NSIR held a meeting to discuss possible solutions and\nbetter controls over the SGI designator role. One resolution from the\nmeeting was to implement a policy that prior to granting any SLES\ndesignator access, OIS will first contact NSIR to ensure this individual is a\ncertified SGI designator.\n\nA lack of accurate SGI designator lists could prevent NRC from\ncommunicating policy or procedural changes to those who have the SGI\ndesignator responsibility, as well as ensuring there is adequate SGI\ndesignator coverage throughout the program offices. Furthermore, by\nrequiring periodic refresher training, individuals who want to remain\ndesignators would proactively maintain their certifications and familiarize\nthemselves with the SGI policies. Those who are no longer interested in\nbeing designators could communicate this by not renewing their\ncertification.\n\n\n\n\n                              18\n\x0c                                  Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n7. Develop and implement formal business processes for certified SGI\n   designators and the SLES designator role. These procedures should\n   include periodically verifying:\n          The need for individuals to maintain designator role.\n          A match between the certified designator list and the SLES\n          designator user list.\n\n8. Develop and require annual refresher training for the SGI Designator\n   role.\n\n\n\n\n                            19\n\x0c                                              Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nIV.   Consolidated List of Recommendations\n\n          OIG recommends that the Executive Director for Operations:\n\n          1. Develop a structured reporting process that includes:\n                   One point of contact to receive reports of all SGI releases.\n                   A numbering system to track the number of releases reported in\n                   a consistent manner.\n                   A system to report information on releases from the central point\n                   of contact to the responsible program offices.\n                   A system to trend releases and to make any needed\n                   programmatic changes.\n\n          2. Update the affected MDs (3.4, 7.4, 12.1, 12.5, and 12.7) to provide\n             consistent guidance on the new reporting structure outlined in\n             recommendation 1.\n\n          3. Develop and implement interim guidance to communicate the\n             structured reporting process to NRC staff.\n\n          4. Update the annual online security information training to reflect the\n             reporting requirements for SGI releases.\n\n          5. Update MD 12.7 to include detailed guidance on granting \xe2\x80\x9coutsiders\xe2\x80\x9d\n             access to SGI.\n\n          6. Develop and issue interim guidance covering how to grant \xe2\x80\x9coutsiders\xe2\x80\x9d\n             access to SGI.\n\n          7. Develop and implement formal business processes for certified\n             designators and the SLES designator role. These procedures should\n             include periodically verifying:\n                    The need for individuals to maintain designator role.\n                    A match between the certified designator list and the SLES\n                    designator user list.\n\n          8. Develop and require annual refresher training for the SGI Designator\n             role.\n\n\n\n\n                                        20\n\x0c                                           Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\nV.   AGENCY COMMENTS\n\n        At an exit conference on March 28, 2012, agency management stated\n        their general agreement with the findings and recommendations in this\n        report. Agency management also provided supplemental information that\n        has been incorporated into this report as appropriate. As a result, the\n        agency opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                     21\n\x0c                                        Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n                                                                                Appendix\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\n    OBJECTIVE\n\n    The audit objective was to assess if NRC adequately ensures the\n    protection of SGI.\n\n    SCOPE\n\n    The audit focused on reviewing the policies and procedures currently in\n    place to protect SGI. We conducted this performance audit at NRC\n    headquarters from September 2011 through January 2012. Internal\n    controls related to the audit objective were reviewed and analyzed.\n    Throughout the audit, auditors were aware of the possibility or existence of\n    fraud, waste, or misuse in the program.\n\n    METHODOLOGY\n\n    The audit team reviewed relevant criteria, including the Code of Federal\n    Regulations, Title 10, Part 73, Section 22, \xe2\x80\x9cProtection of Safeguards\n    Information: Specific Requirements\xe2\x80\x9d; the Atomic Energy Act of 1954, as\n    Amended, Section 147, \xe2\x80\x9cSafeguards Information\xe2\x80\x9d; Management Directive\n    12.7, \xe2\x80\x9cNRC Safeguards Information Security Program\xe2\x80\x9d; Management\n    Directive 12.5, \xe2\x80\x9cNRC Automated Information Security Program\xe2\x80\x9d;\n    Management Directive 12.2, \xe2\x80\x9cNRC Classified Information Security\n    Program\xe2\x80\x9d; Management Directive 12.1, \xe2\x80\x9cNRC Facility Security Program\xe2\x80\x9d;\n    DG-SGI-1, \xe2\x80\x9cDesignation Guide for Safeguards Information, Criteria and\n    Guidance\xe2\x80\x9d; and SGI Inspection Procedures 71130.06, 81810, and 87135.\n    OIG auditors also reviewed the previous NRC OIG audit report, OIG-04-A-\n    04, \xe2\x80\x9cAudit of NRC\xe2\x80\x9fs Protection of Safeguards Information.\xe2\x80\x9d\n\n    Auditors reviewed all three modules of the SGI designator training course,\n    as well as the Annual Information Security Awareness Course.\n\n    At NRC headquarters, in Rockville, Maryland, auditors interviewed NSIR,\n    ADM, Office of the General Counsel, CSO, OIS, and Office of International\n    Programs staff and/or management to gain an understanding of their roles\n    and responsibilities related to the SGI program. Auditors conducted\n\n\n\n\n                                 22\n\x0c                                    Audit of NRC\xe2\x80\x9fs Protection of Safeguards Information\n\n\n\ntelephone interviews with 46 NRC staff, at headquarters and the four\nregional offices, who were on the SGI designator list.\n\nWe conducted this performance audit in accordance with generally\naccepted Government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjective.\n\nThe audit work was conducted by Beth Serepca, Team Leader; Rebecca\nUnderhill, Audit Manager; Larry Vaught, Senior Auditor; and Michael Blair,\nManagement Analyst.\n\n\n\n\n                             23\n\x0c'